Rogue AV/AS prolific

[AplusWebMaster]

FYI...

Police arrest Ransomware cybercriminals
- http://blog.trendmicro.com/trendlabs...vity-nabbed-2/
Feb 13, 2013 - "... Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON. The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates. The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang’s operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam. The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia..."

- http://news.yahoo.com/spain-busts-ra...201859529.html
Feb 13, 2013 - "... The gang, operating from the Mediterranean resort cities of Benalmadena and Torremolinos, made at least €1 million ($1.35 million) annually... The 27-year-old Russian alleged to be the gang's founder and virus developer was detained in the United Arab Emirates at the request of Spanish police while on vacation and an extradition petition is pending, Martinez said. Six more Russians, two Ukrainians and two Georgians were arrested in Spain last week... Money was also stolen from the victims' accounts via ATMs in Spain, and the gang made daily international money transfers through currency exchanges and call centers to send the funds stolen to Russia. Spanish authorities identified more than 1,200 victims but said the actual number could be much higher. The government's Office of Internet Security received 784,000 visits for advice on how to get rid of the virus. Those arrested face charges of money laundering, participation in a criminal operation and fraud."

- http://h-online.com/-1803788
14 Feb 2013

[AplusWebMaster]

FYI...

DHS-themed Ransomware in the wild
- https://www.us-cert.gov/ncas/current...med-Ransomware
Last revised: March 22, 2013 - "US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware... US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages..."

Screenshot: http://news.softpedia.com/newsImage/...somware-2.jpg/
March 21, 2013

- http://www.reuters.com/article/2013/...92K0Z920130321
Mar 21, 2013

[AplusWebMaster]

FYI...

Ransomware leverages victims' browser histories for increased credibility
- https://www.computerworld.com/s/arti...ed_credibility
April 1, 2013 - "... A new ransomware variant that employs this trick was spotted over the weekend by an independent malware analyst known online as Kafeine. Dubbed Kovter, this version stands out because it uses information gathered from the victim's browser history in order to make the scam message more credible, Kafeine said Friday in a blog post*. Kovter displays a fake warning allegedly from the U.S. Department of Justice, the U.S. Department of Homeland Security and the FBI, that claims the victim's computer was used to download and distribute illegal content. The message also lists the computer's IP address, its host name and a website from which the illegal material was allegedly downloaded. The malware checks if any of the sites already present in the computer's browser history is present in a remote list of porn sites whose content is not necessarily illegal, and if there's a match, it displays it in the message. By using this technique and naming a site that the victim has actually visited as the source for the alleged illegal content, the ransomware authors attempt to increase the credibility of their message. If no match is found when checking the browser history against the remote list, the malware will just use a random porn site in the message... The authors of police-themed ransomware are constantly trying to improve their success rate and this is just the latest in a long series of tricks they have added. Some variants are actually using the computer's webcam, if one is present, to take a picture of the user and include it in the message in order to give the impression that the authorities are recording the user. Another variant gives victims a deadline of 48 hours to pay the made-up fine before their computer drive is reformatted and their data is destroyed. The average number of daily infection attempts with police-themed ransomware has doubled during the first months of 2013..."
*Screenshot: https://d1piko3ylsjhpd.cloudfront.ne..._kovter_01.png

[AplusWebMaster]

FYI...

Ransomware - Reveton.B...
- https://www.net-security.org/malware_news.php?id=2497
May 17, 2013 - "... Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds. It is being delivered on the victims' computer via the Blackhole exploit kit, and on the surface acts like it always did: locks the computer screen and demands money to unlock it:
> https://www.net-security.org/images/...n-17052013.jpg
... in the background, the malware downloads a password-stealer component from its C&C server and runs it. "PWS:Win32/Reveton.B can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage," say* the researchers. "However, as it can load almost any DLL served by the C&C on the fly, this might change." Keeping your OS and software updates should minimize the possibility of being faced with malware, they say, but in case you do get hit by a Reveton infection, it's a good idea to change all your passwords once you remove the malware from the computer."
* http://blogs.technet.com/b/mmpc/arch...l-pay-off.aspx